Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Global Protect 5.0.2 - working deployments/configurations, open issues and everything else

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect 5.0.2 - working deployments/configurations, open issues and everything else

L7 Applicator

Hi community

 

Today Global Protect Version 5.0.2 was released. The way to this version was a long one. I had 10 open cases with different issues that I reported for Version 5.0.0 and 5.0.1. Most of them are fixed in 5.0.2 so this version - from what I was able to test so far - could be the best for the past years as also issues from earlier versions than 5 are now fixed. And in addition to the ones that my company reported there were even more issues from other ones and also fixed in 5.0.2.

Anyway what I intend to do with this topic is a collection of working deployments and also putting together a list with still open problems in Global Protect 5.0.2. My hope is that Global Protect- with the help of the community - will get even better and have less issues / bugs.

 

So I ask you to write your working configurations and also the open issues (including case numbers if possible so others can reference these numbers if they also open cases) - only related to GP 5.0.2.

 

Let's see if something helpful will be created in this topic 😉

 

Regards,

Remo

13 REPLIES 13

L7 Applicator

Working configurations ...

L7 Applicator

Open issues

#PA Bug IDDescriptionSteps to reproduceCase number(s)Fixed in Version
1-Two authentications sent from GP Agent to the firewall (in case of using MFA with SMS this means two SMS are sent to the user)Not (yet) available01096611-
2-In rare situations GP detects a Captive Portal dven if there isn't one. If you have configured MFA (with RADIUS) and you are also enforcing GP this meant if the user cancels the MFA he has access to the network/internet without a VPN connectionNot (yet) available01146221-
3-After resuming from sleep mode Global Protect gets stuck with Captive Portal detection (in a network without a captive portal) and is not able to connect without a manual reconnect.Not (yet) available--
4-After resuming from standby it took about about 30 seconds (after connection to external network was established) until global protect continued with establishing a connection. Prior to standby the computer was connected to the same external network and GP was connected.Not (yet) available01146236-
5-When nothing is entered on the OTP prompt, GP gets stuck at "still working" and only be restarting pangpa or with a reboot the issue can be resolved.Simply klick OK on the OTP prompt without entering anything

01147011

01147324

5.0.3

L1 Bithead

I have to agree that 5.0.2 is much better. We deployed GP about 8 months ago from 4.1.3 and have non-stop issues and experience for the user has been horrible. We had also identified bugs in each of the versions also. 

We still need to test the client when user is connecting from hotel, cafe wifi where there is captive portal involved.

 

 

Our Configuration is we are doing prelogon with always on setup. At the portal level we do LDAP with certificate and Gateway level OTP (Microsoft MFA (similar to duo cloud) ) with certificate. We are not doing split tunnel at this time and have enforce set to yes. We have enabled SSO. 

 

What is your current configuraiton? What are the issues you are seeing with 5.0.2 that are outstanding for you?

 

 

Curious if you or someone else has come across this issue.. seeing this 5.0.2 in the logs i think seen it in previous version but have not been able to re-produce and is not something that happens often 

 

When i took my machine out sleep connected to my home wifi seeing the below message during network discovery. Disconnected my wifi and then reconnected after which i was able to connect

 

(T14860) 05/07/19 23:06:25:349 Debug(1843): DnsQuery returns 1460
(T15604) 05/07/19 23:06:27:203 Debug(3905): CPD, reset cp detection history
(T15604) 05/07/19 23:06:27:203 Info ( 482): pan_get_ip_by_host() getaddrinfo failed with error code (11001)!
(T15604) 05/07/19 23:06:27:203 Error( 87): pan_captive_portal_detection() failed to resolve captive portal server:service (captive.apple.com:80)
(T15604) 05/07/19 23:06:27:203 Debug(3917): CPD, index=0, iRet=-1, lastError=0
(T15604) 05/07/19 23:06:27:203 Debug(3931): CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 0
(T15604) 05/07/19 23:06:27:203 Info ( 482): pan_get_ip_by_host() getaddrinfo failed with error code (11001)!
(T15604) 05/07/19 23:06:27:203 Error( 87): pan_captive_portal_detection() failed to resolve captive portal server:service (clients3.google.com:80)
(T15604) 05/07/19 23:06:27:203 Debug(3917): CPD, index=1, iRet=-1, lastError=-1
(T15604) 05/07/19 23:06:27:203 Debug(3931): CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 0
(T15604) 05/07/19 23:06:27:203 Info ( 482): pan_get_ip_by_host() getaddrinfo failed with error code (11001)!
(T15604) 05/07/19 23:06:27:203 Error( 87): pan_captive_portal_detection() failed to resolve captive portal server:service (www.msftconnecttest.com:80)
(T15604) 05/07/19 23:06:27:203 Debug(3917): CPD, index=2, iRet=-1, lastError=-1
(T15604) 05/07/19 23:06:27:203 Debug(3931): CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 0
(T15604) 05/07/19 23:06:27:203 Debug(4101): CaptivePortalDetectionThread: Didn't detect captive portal currently, and bCaptivePortalDetectedOnce=(0).
(T15604) 05/07/19 23:06:27:203 Debug(3993): CaptivePortalDetectionThread: wait (-1 ms) for captive portal detection event.
(T14860) 05/07/19 23:06:28:351 Debug(1851): Retry DnsQuery.
(T14860) 05/07/19 23:06:28:351 Debug(1869): Already takes 3 seconds for all dns queries.
(T14860) 05/07/19 23:06:28:351 Debug(1843): DnsQuery returns 1460
(T14860) 05/07/19 23:06:31:362 Debug(1851): Retry DnsQuery.
(T14860) 05/07/19 23:06:31:362 Debug(1869): Already takes 6 seconds for all dns queries.
(T14860) 05/07/19 23:06:31:362 Debug(1843): DnsQuery returns 1460
(T14860) 05/07/19 23:06:34:363 Debug(1851): Retry DnsQuery.
(T14860) 05/07/19 23:06:34:363 Debug(1869): Already takes 9 seconds for all dns queries.
(T14860) 05/07/19 23:06:34:363 Debug(1843): DnsQuery returns 1460
(T14860) 05/07/19 23:06:37:366 Debug(1851): Retry DnsQuery.
(T14860) 05/07/19 23:06:37:366 Debug(1869): Already takes 12 seconds for all dns queries.

 

 

 

@rj_raj 

Prior to entering sleep mode, where was your machine connected? in the internal/corporate network or were you already connected to your home wifi or another network?

L7 Applicator

I will test the following configurations:

  • Config 1
"Portal Client Config" {
  hip-collection {
    max-wait-time 20;
    collect-hip-data yes;
  }
  gateways {
    external {
      list {
        GATEWAY {
          fqdn GATEWAY;
          priority-rule {
            Any {
              priority 1;
            }
          }
          manual no;
        }
      }
      cutoff-time 5;
    }
  }
  authentication-override {
    generate-cookie no;
  }
  source-user any;
  os any;
  agent-ui {
    max-agent-user-overrides 0;
    agent-user-override-timeout 0;
  }
  internal-host-detection {
    ip-address INTERNAL-IP;
    hostname INTERNAL-FQDN;
  }
  gp-app-config {
    config {
      connect-method {
        value pre-logon;
      }
      refresh-config-interval {
        value 1;
      }
      agent-user-override {
        value allowed;
      }
      client-upgrade {
        value disabled;
      }
      use-sso {
        value yes;
      }
      logout-remove-sso {
        value yes;
      }
      krb-auth-fail-fallback {
        value yes;
      }
      retry-tunnel {
        value 1;
      }
      retry-timeout {
        value 1;
      }
      enforce-globalprotect {
        value yes;
      }
      captive-portal-exception-timeout {
        value 3600;
      }
      traffic-blocking-notification-delay {
        value 5;
      }
      display-traffic-blocking-notification-msg {
        value no;
      }
      traffic-blocking-notification-msg {
        value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Notice</h1><p style="margin: 0;font-size: 15px; line-height: 1.2em;">To access the network, you must first con
nect to GlobalProtect.</p></div>';
      }
      allow-traffic-blocking-notification-dismissal {
        value yes;
      }
      display-captive-portal-detection-msg {
        value yes;
      }
      captive-portal-detection-msg {
        value '<div style="font-family:'Verdana';"><h1 style="color:green; margin: 0; font-size: 16px;">Loginseite erkannt / Captive Portal Detected</h1><p style="margin: 0; font-size: 14px; line-height: 1.2em;">Bitte klicken Sie auf den
 Link, um sich anzumelden und Zugriff auf das Netzwerk zu erhalten: <a href="http://CAPTIVEPORTALREDIRECT">Klicken Sie hier</a><br/>Please click the link to login and to get access to the network: <a href="http://CAPTIVEPORTALREDIRECT">Click here</a></p></div>';
      }
      captive-portal-notification-delay {
        value 5;
      }
      certificate-store-lookup {
        value machine;
      }
      scep-certificate-renewal-period {
        value 7;
      }
      retain-connection-smartcard-removal {
        value yes;
      }
      enable-advanced-view {
        value yes;
      }
      enable-do-not-display-this-welcome-page-again {
        value yes;
      }
      rediscover-network {
        value yes;
      }
      resubmit-host-info {
        value yes;
      }
      can-change-portal {
        value no;
      }
      can-continue-if-portal-cert-invalid {
        value no;
      }
      show-agent-icon {
        value yes;
      }
      user-switch-tunnel-rename-timeout {
        value 0;
      }
      pre-logon-tunnel-rename-timeout {
        value 0;
      }
      show-system-tray-notifications {
        value no;
      }
      max-internal-gateway-connection-attempts {
        value 0;
      }
      portal-timeout {
        value 30;
      }
      connect-timeout {
        value 60;
      }
      receive-timeout {
        value 30;
      }
      enforce-dns {
        value yes;
      }
      flush-dns {
        value no;
      }
      proxy-multiple-autodetect {
        value no;
      }
      use-proxy {
        value yes;
      }
      wsc-autodetect {
        value yes;
      }
      mfa-enabled {
        value no;
      }
      mfa-listening-port {
        value 4501;
      }
      mfa-notification-msg {
        value "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at";
      }
      ipv6-preferred {
        value yes;
      }
      init-panel {
        value no;
      }
    }
  }
  save-user-credentials 0;
  portal-2fa no;
  manual-only-gateway-2fa no;
  internal-gateway-2fa no;
  auto-discovery-external-gateway-2fa no;
  mdm-enrollment-port 443;
}

 

  • Config 2 (on this gateway local network access is disabled)
"Portal Client Config" {
  hip-collection {
    max-wait-time 20;
    collect-hip-data yes;
  }
  gateways {
    external {
      list {
        GATEWAY {
          fqdn GATEWAY;
          priority-rule {
            Any {
              priority 1;
            }
          }
          manual no;
        }
      }
      cutoff-time 5;
    }
  }
  authentication-override {
    generate-cookie no;
  }
  source-user any;
  os any;
  agent-ui {
    max-agent-user-overrides 0;
    agent-user-override-timeout 0;
  }
  internal-host-detection {
    ip-address INTERNAL-IP;
    hostname INTERNAL-FQDN;
  }
  gp-app-config {
    config {
      connect-method {
        value pre-logon;
      }
      refresh-config-interval {
        value 1;
      }
      agent-user-override {
        value disabled;
      }
      client-upgrade {
        value disabled;
      }
      use-sso {
        value yes;
      }
      logout-remove-sso {
        value yes;
      }
      krb-auth-fail-fallback {
        value yes;
      }
      retry-tunnel {
        value 30;
      }
      retry-timeout {
        value 5;
      }
      enforce-globalprotect {
        value yes;
      }
      captive-portal-exception-timeout {
        value 3600;
      }
      traffic-blocking-notification-delay {
        value 15;
      }
      display-traffic-blocking-notification-msg {
        value yes;
      }
      traffic-blocking-notification-msg {
        value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Notice</h1><p style="margin: 0;font-size: 15px; line-height: 1.2em;">To access the network, you must first con
nect to GlobalProtect.</p></div>';
      }
      allow-traffic-blocking-notification-dismissal {
        value yes;
      }
      display-captive-portal-detection-msg {
        value yes;
      }
      captive-portal-detection-msg {
        value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Captive Portal Detected</h1><p style="margin: 0; font-size: 15px; line-height: 1.2em;">GlobalProtect has tempo
rarily permitted network access for you to connect to the Internet. Follow instructions from your internet provider.</p><p style="margin: 0; font-size: 15px; line-height: 1.2em;">If you let the connection time out, open GlobalProtect and
 click Connect to try again.</p></div>';
      }
      certificate-store-lookup {
        value machine;
      }
      scep-certificate-renewal-period {
        value 7;
      }
      retain-connection-smartcard-removal {
        value yes;
      }
      enable-advanced-view {
        value yes;
      }
      enable-do-not-display-this-welcome-page-again {
        value yes;
      }
      rediscover-network {
        value yes;
      }
      resubmit-host-info {
        value yes;
      }
      can-change-portal {
        value no;
      }
      can-continue-if-portal-cert-invalid {
        value no;
      }
      show-agent-icon {
        value yes;
      }
      user-switch-tunnel-rename-timeout {
        value 0;
      }
      pre-logon-tunnel-rename-timeout {
        value -1;
      }
      show-system-tray-notifications {
        value no;
      }
      max-internal-gateway-connection-attempts {
        value 0;
      }
      portal-timeout {
        value 5;
      }
      connect-timeout {
        value 5;
      }
      receive-timeout {
        value 30;
      }
      enforce-dns {
        value yes;
      }
      flush-dns {
        value no;
      }
      proxy-multiple-autodetect {
        value no;
      }
      wsc-autodetect {
        value yes;
      }
      mfa-enabled {
        value no;
      }
      mfa-listening-port {
        value 4501;
      }
      mfa-notification-msg {
        value "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at";
      }
      ipv6-preferred {
        value no;
      }
    }
  }
  save-user-credentials 0;
  portal-2fa no;
  manual-only-gateway-2fa no;
  internal-gateway-2fa no;
  auto-discovery-external-gateway-2fa no;
  mdm-enrollment-port 443;
}

 

- My machine was docked - i put it sleep and then undocked it

- At home I had to connect to the WiFi as my conneciton is manual

- When connected to WiFi that is when i noticed it

 

I will have to to re-test and pay more close attention to what i did. I will update the post if i am able to reproduce it

Added two rare issues in 5.0.2 to the third post in this topic.


@rj_raj wrote:

- My machine was docked - i put it sleep and then undocked it

- At home I had to connect to the WiFi as my conneciton is manual

- When connected to WiFi that is when i noticed it

 

I will have to to re-test and pay more close attention to what i did. I will update the post if i am able to reproduce it


@rj_raj I have added this issue to the open issues list. Would be great if you can add more details or even better if you are able to reproduce it.

L7 Applicator

I have added another low priority issue and also case numbers for the 3 issues that I have experienced so far with 5.0.2. I need to add here, the issues from me in the list I so far saw only once. Even if I tried, so far I was not able to reproduce them (which is good and bad at the same time)

L1 Bithead

Found an issue and able to reproduce the issue in 5.0.2. If user has MFA prompt and accidently hits OK without typing any code the client gets stuck in still working and nothing happens. Only way so far to get out that is to kill the panga process or restart the machine..

 

remo since you use OTP in your setup can you reproduce the issue - case number - 01147011

 

 

@rj_raj 

I was able to reproduce the issue. Without entering any OTP GP gets stuck at "still working" as you mentionned.

@rj_raj 

I have updated the third post in this topic with the open issues with the one described by you. In addition I have also created a case with a reference to yours.

Thanks!

I have a similar issue with GlobalProtect 5.0.3 and Duo MFA.  Not sure if everyone is aware how Duo MFA works with GlobalProtect, but instead of enter in a one-time passcode, you can enter in the number "1" and Duo will send a push notification to your mobile device.  Well, I entered in "1", never got the push notification(not sure why), but this caused the GlobalProtect client to get stuck at "Still Working...".  I waited 25 minutes and the client never timed out, it just kept trying.

  • 10926 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!